Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfab8724a6ff75b7…

MALICIOUS

PDF

47.5 KB Authoring application: Soda PDF
MD5: b093e0ecd5aa830287daa14069d9c867 SHA-1: 973aa8b004b5b07beb8773f57c278b49c5f47d6c SHA-256: bfab8724a6ff75b7f6fae8f0c6490d9f9cf37df50604502b64f0fe70311f5a0e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDFs, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body text, while partially corrupted, mentions 'Adobe reader dc signature validity is unknown' and includes URLs, suggesting a social engineering lure to trick users into clicking a link. The ClamAV detection and ML classifier further support its malicious nature, indicating it's likely a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://livestockin.com/uploads/1/3/0/7/130739028/xodubira.pdf
    • http://milwaukeepestpros.com/uploads/1/3/0/5/130588377/jamogadoru_jasutilozos_wifon_luwod.pdf
    • http://wonderwomanchildren.com/uploads/1/3/0/4/130483799/1437234.pdf
    • http://ndsucceed.com/uploads/1/3/0/5/130550777/mifarajarigux-ruzuveze.pdf
    • http://thehappygirlstore.com/uploads/1/3/0/5/130543154/130543154.html#adobe+reader+dc+signature+validity+is+unknown

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a3.bin
7873437e1a839ccf0cd7380fcfbc16ef57a2bdea4889f822d50b3e772ddd7477		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3 8372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.